SlideShare uma empresa Scribd logo

Sips must die, die, die - about TLS usage in the SIP protocol

Olle E Johansson
Olle E Johansson

Some thoughts and summary of a discussion of TLS usage in SIP

Tecnologia
1 de 19
Baixar para ler offline
SIPS: must die. or at least we need to fix TLS usage without the SIPS: uri scheme.
 oej@edvina.net - 2016-06-17 v 1.0
Example overview sollentuna.example.com paris.example.com server to
 server connection
 (B) KURT ALICE UA connection
 (A) UA connection
 (B) Securing first hop Securing server 2 server connections Securing last hop End to end security The SIPS: uri scheme is an attempt to promise end2end security.
The problem • SIPS: as a URI scheme implies end2end security, something that can not be verified • SIPS: promises something that can not really be delivered, especially complex in a world of b2buas and gateways to other protocols • We need more TLS usage, but SIPS: has too many issues. For some developers, it seems to be the only solution. This makes TLS less deployed in code or in usage
History • RFC 3261 talks about TLS usage and certificates • RFC 5630 clarifies SIPS: URI usage and updates RFC 3261 • RFC 5922 defines Domain certificates in SIP • SIPS: is required to implement to be SIP compatible
Client certificates • Never properly discussed • Needs to match the AOR? • Needs to match the Contact? • Needs to match something else?
RFC 5630
RFC 5630 - general • 3.1.1. Points to RFC 5626 (Outbound) for UAs in order to avoid using client certificates (mutual TLS auth) • Avoids defining SIP TLS client certificates • 3.1.3 Discussed best effort TLS • Points to RFC 3261 section 26.3.2.1 for connection reuse (and points to RFC 5626)
RFC 5630 about “;transport=tls” • 3.1.4 :: “The reinstatement of the transport=tls parameter, or an alternative mechanism for indicating the use of the TLS on a single hop in a URI, is outside the scope of this specification.”
RFC 5630 about hop-by-hop security: • 3.2 :: “The presence of a SIPS Request-URI does not necessarily indicate that the request was sent securely on each hop. So how does a UAS know if SIPS was used for the entire request path to secure the request end-to-end? Effectively, the UAS cannot know for sure.”
RFC 5630 modification to 3261: • 4 :: “Because of all the problems described in Section 3.3, this specification deprecates the last- hop exception when forwarding a request to the last hop (see Section 5.3). This will ensure that TLS is used on all hops all the way up to the remote target.” • Which means SIP outbound (RFC 5626) or client certs for the last hop.
RFC 5630 on padlock icons • Section 4 :: “Some have been tempted to believe that the SIPS scheme was equivalent to an HTTPS scheme in the sense that one could provide a visual indication to a user (e.g., a padlock icon) to the effect that the session is secured. 
 
 This is obviously not the case, and therefore the meaning of a SIPS URI is not to be oversold. There is currently no mechanism to provide an indication of end-to-end security for SIP. “
Service owner may control TLS usage in DNS • By only presenting TLS in DNS Naptr/SRV the service owner may limit/enforce UAs to TLS only • May also implement a policy where TLS is preferred but TCP/UDP is accepted
Where are we? sollentuna.example.com paris.example.com server to
 server connection
 (B) KURT ALICE UA connection
 (A) UA connection
 (B) Securing first hop Securing server 2 server connections Securing last hop Using SIP outbound and TLS we can secure the first/last hop The user has no way to affect what happens between servers or beyond gateways
What if we just remove the SIPS: uri scheme?
Remove SIPS: • Implementations can be SIP compatible without SIPS: • We only have control over the FIRST hop, to the edge server • What happens beyond that server is no longer in control (if it ever was)
Client side control • Clients (UAs) implement a “require TLS” option checkbox in the configuration page, which will force lookup of NAPTR records, the DNS SRV records • If no DNS support, try TLS port 5061 • This only applies to the first hop
Requirements • A way to force clients to use TLS for inbound connections • A simple way to reuse that connection for outbound requests • Maybe a way to get confidentiality for hops beyond the proxy • If so a way to verify that confidentiality
Just a thought : S/MIME • Can we wake up S/MIME again? • If not, have we analysed the issues with it? • Any experience? • There’s some sort of end2end security promise in that platform.
Summary • In my view, SIPS: is too hard to implement and if implemented, deliveres a false promise • TLS edge connections needs to be made more simple - outbound doesn’t seem to be accepted as the solution • We need to look deeper into end2end integrity, confidentiality and privacy

Recomendados

SIP over TLS
SIP over TLSSIP over TLS
SIP over TLSHossein Yavari
 
SIP security in IP telephony
SIP security in IP telephonySIP security in IP telephony
SIP security in IP telephonyPaloSanto Solutions
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Developing rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKDeveloping rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKSaúl Ibarra Corretgé
 
Asterisk High Availability Design Guide
Asterisk High Availability Design GuideAsterisk High Availability Design Guide
Asterisk High Availability Design GuideMichelle Dupuis
 
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 2015
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 20152600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 2015
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 20152600Hz
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 

Recomendados

SIP over TLS
SIP over TLSSIP over TLS
SIP over TLSHossein Yavari
 
SIP security in IP telephony
SIP security in IP telephonySIP security in IP telephony
SIP security in IP telephonyPaloSanto Solutions
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Developing rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKDeveloping rich SIP applications with SIPSIMPLE SDK
Developing rich SIP applications with SIPSIMPLE SDKSaúl Ibarra Corretgé
 
Asterisk High Availability Design Guide
Asterisk High Availability Design GuideAsterisk High Availability Design Guide
Asterisk High Availability Design GuideMichelle Dupuis
 
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 2015
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 20152600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 2015
2600Hz - Tuning Kazoo to 10,000 Handsets - KazooCon 20152600Hz
 
Three Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentThree Ways Kamailio Can Help Your FreeSWITCH Deployment
Three Ways Kamailio Can Help Your FreeSWITCH DeploymentFred Posner
 
Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCHChien Cheng Wu
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCMoises Silva
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Router commands
Router commandsRouter commands
Router commandsAkshay Bhardwaj
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
Indroduction to SIP
Indroduction to SIPIndroduction to SIP
Indroduction to SIPChien Cheng Wu
 
Interrupts
InterruptsInterrupts
InterruptsAnil Kumar Pugalia
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...The Linux Foundation
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariPascal Cadotte-Michaud
 
Saltstack with Zabbix
Saltstack with ZabbixSaltstack with Zabbix
Saltstack with ZabbixChristian McHugh
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure CommunicationDaniel-Constantin Mierla
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail AliSP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail AliMyNOG
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceEvan McGee
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 

Mais conteúdo relacionado

Mais procurados

Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileDaniel-Constantin Mierla
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Fred Posner
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCHChien Cheng Wu
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCMoises Silva
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionOlle E Johansson
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCHMoises Silva
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Maximilan Wilhelm
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...The Linux Foundation
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariPascal Cadotte-Michaud
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail AliSP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail AliMyNOG
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouFred Posner
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringGLC Networks
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceEvan McGee
 

Mais procurados (20)

Aynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration FileAynchronous Processing in Kamailio Configuration File
Aynchronous Processing in Kamailio Configuration File
 
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
Using Asterisk and Kamailio for Reliable, Scalable and Secure Communication S...
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with Kamailio
 
Introduction to FreeSWITCH
Introduction to FreeSWITCHIntroduction to FreeSWITCH
Introduction to FreeSWITCH
 
FreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBCFreeSWITCH as a Kickass SBC
FreeSWITCH as a Kickass SBC
 
Kamailio :: A Quick Introduction
Kamailio :: A Quick IntroductionKamailio :: A Quick Introduction
Kamailio :: A Quick Introduction
 
Router commands
Router commandsRouter commands
Router commands
 
Media Handling in FreeSWITCH
Media Handling in FreeSWITCHMedia Handling in FreeSWITCH
Media Handling in FreeSWITCH
 
Indroduction to SIP
Indroduction to SIPIndroduction to SIP
Indroduction to SIP
 
Interrupts
InterruptsInterrupts
Interrupts
 
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
Fun with PRB, VRFs and NetNS on Linux - What is it, how does it work, what ca...
 
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
XPDDS17: Reworking the ARM GIC Emulation & Xen Challenges in the ARM ITS Emu...
 
Getting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ariGetting a live_transcript_of_your_call_using_the_ari
Getting a live_transcript_of_your_call_using_the_ari
 
Saltstack with Zabbix
Saltstack with ZabbixSaltstack with Zabbix
Saltstack with Zabbix
 
Kamailio - Secure Communication
Kamailio - Secure CommunicationKamailio - Secure Communication
Kamailio - Secure Communication
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
 
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail AliSP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
SP Routing Innovation with Segment Routing, VXLAN and EVPN - Ismail Ali
 
Kamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and YouKamailio, FreeSWITCH, and You
Kamailio, FreeSWITCH, and You
 
BGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP PeeringBGP Services IP Transit vs IP Peering
BGP Services IP Transit vs IP Peering
 
FreeSWITCH as a Microservice
FreeSWITCH as a MicroserviceFreeSWITCH as a Microservice
FreeSWITCH as a Microservice
 

Destaque

Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
Strengths In CPDReflect
Strengths In CPDReflectStrengths In CPDReflect
Strengths In CPDReflectCon Morris
 
Business Leadership2
Business Leadership2Business Leadership2
Business Leadership2guest74023f
 
Grand Canyon, Hawaii And Portugal
Grand Canyon, Hawaii And PortugalGrand Canyon, Hawaii And Portugal
Grand Canyon, Hawaii And PortugalAvinash Singh
 
Failure Is Guaranteed: Internet Marketing's Greatest Strength
Failure Is Guaranteed: Internet Marketing's Greatest StrengthFailure Is Guaranteed: Internet Marketing's Greatest Strength
Failure Is Guaranteed: Internet Marketing's Greatest StrengthIan Lurie
 
Momente Frumoase
Momente FrumoaseMomente Frumoase
Momente FrumoaseAlexandru S
 
Healthcare, Meet Social Media
Healthcare, Meet Social MediaHealthcare, Meet Social Media
Healthcare, Meet Social MediaSimon Young
 
Why Transliteracy? An Introduction for Librarians
Why Transliteracy? An Introduction for LibrariansWhy Transliteracy? An Introduction for Librarians
Why Transliteracy? An Introduction for LibrariansBobbi Newman
 
E L S B O L E T S
E L S B O L E T SE L S B O L E T S
E L S B O L E T Spopins
 
Brian Holmes - eTwinning
Brian Holmes - eTwinningBrian Holmes - eTwinning
Brian Holmes - eTwinningAlexa Joyce
 
eTwinning Communications
eTwinning CommunicationseTwinning Communications
eTwinning CommunicationsAlexa Joyce
 
Google+ presentacio
Google+ presentacioGoogle+ presentacio
Google+ presentacioJordi Guim
 
Writing great presentations: "Because I Said So" doesn't work
Writing great presentations: "Because I Said So" doesn't workWriting great presentations: "Because I Said So" doesn't work
Writing great presentations: "Because I Said So" doesn't workIan Lurie
 
Firefox的安全性
Firefox的安全性Firefox的安全性
Firefox的安全性Liu Xing
 

Destaque (20)

Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Comenius
ComeniusComenius
Comenius
 
Strengths In CPDReflect
Strengths In CPDReflectStrengths In CPDReflect
Strengths In CPDReflect
 
Gute Werb
Gute WerbGute Werb
Gute Werb
 
Concierto
ConciertoConcierto
Concierto
 
Business Leadership2
Business Leadership2Business Leadership2
Business Leadership2
 
Grand Canyon, Hawaii And Portugal
Grand Canyon, Hawaii And PortugalGrand Canyon, Hawaii And Portugal
Grand Canyon, Hawaii And Portugal
 
Failure Is Guaranteed: Internet Marketing's Greatest Strength
Failure Is Guaranteed: Internet Marketing's Greatest StrengthFailure Is Guaranteed: Internet Marketing's Greatest Strength
Failure Is Guaranteed: Internet Marketing's Greatest Strength
 
Momente Frumoase
Momente FrumoaseMomente Frumoase
Momente Frumoase
 
Healthcare, Meet Social Media
Healthcare, Meet Social MediaHealthcare, Meet Social Media
Healthcare, Meet Social Media
 
Why Transliteracy? An Introduction for Librarians
Why Transliteracy? An Introduction for LibrariansWhy Transliteracy? An Introduction for Librarians
Why Transliteracy? An Introduction for Librarians
 
E L S B O L E T S
E L S B O L E T SE L S B O L E T S
E L S B O L E T S
 
Brian Holmes - eTwinning
Brian Holmes - eTwinningBrian Holmes - eTwinning
Brian Holmes - eTwinning
 
My sport life
My sport lifeMy sport life
My sport life
 
eTwinning Communications
eTwinning CommunicationseTwinning Communications
eTwinning Communications
 
Community keynote
Community keynoteCommunity keynote
Community keynote
 
Google+ presentacio
Google+ presentacioGoogle+ presentacio
Google+ presentacio
 
Writing great presentations: "Because I Said So" doesn't work
Writing great presentations: "Because I Said So" doesn't workWriting great presentations: "Because I Said So" doesn't work
Writing great presentations: "Because I Said So" doesn't work
 
Firefox的安全性
Firefox的安全性Firefox的安全性
Firefox的安全性
 

Semelhante a Sips must die, die, die - about TLS usage in the SIP protocol

Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide Cohesive Networks
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxy
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxyHAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxy
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxyPierre Souchay
 
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...Amazon Web Services Korea
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPROIDEA
 
Smart networking with service meshes
Smart networking with service meshes Smart networking with service meshes
Smart networking with service meshes Mitchell Pronschinske
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFAmazon Web Services
 

Semelhante a Sips must die, die, die - about TLS usage in the SIP protocol (20)

Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
SSL overview
SSL overviewSSL overview
SSL overview
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxy
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxyHAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxy
HAProxyConf 2019: Building a Service Mesh at Criteo with Consul and HAProxy
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...
AWS Direct Connect 및 VPN을 이용한 클라우드 아키텍쳐 설계:: Steve Seymour :: AWS Summit Seou...
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Quality of service
Quality of serviceQuality of service
Quality of service
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
 
Smart networking with service meshes
Smart networking with service meshes Smart networking with service meshes
Smart networking with service meshes
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 

Mais de Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)Olle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeOlle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoOlle E Johansson
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introductionOlle E Johansson
 

Mais de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: Manifesto
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introduction
 

Último

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 

Último (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 

Sips must die, die, die - about TLS usage in the SIP protocol

  • 1. SIPS: must die. or at least we need to fix TLS usage without the SIPS: uri scheme.
 oej@edvina.net - 2016-06-17 v 1.0
  • 2. Example overview sollentuna.example.com paris.example.com server to
 server connection
 (B) KURT ALICE UA connection
 (A) UA connection
 (B) Securing first hop Securing server 2 server connections Securing last hop End to end security The SIPS: uri scheme is an attempt to promise end2end security.
  • 3. The problem • SIPS: as a URI scheme implies end2end security, something that can not be verified • SIPS: promises something that can not really be delivered, especially complex in a world of b2buas and gateways to other protocols • We need more TLS usage, but SIPS: has too many issues. For some developers, it seems to be the only solution. This makes TLS less deployed in code or in usage
  • 4. History • RFC 3261 talks about TLS usage and certificates • RFC 5630 clarifies SIPS: URI usage and updates RFC 3261 • RFC 5922 defines Domain certificates in SIP • SIPS: is required to implement to be SIP compatible
  • 5. Client certificates • Never properly discussed • Needs to match the AOR? • Needs to match the Contact? • Needs to match something else?
  • 7. RFC 5630 - general • 3.1.1. Points to RFC 5626 (Outbound) for UAs in order to avoid using client certificates (mutual TLS auth) • Avoids defining SIP TLS client certificates • 3.1.3 Discussed best effort TLS • Points to RFC 3261 section 26.3.2.1 for connection reuse (and points to RFC 5626)
  • 8. RFC 5630 about “;transport=tls” • 3.1.4 :: “The reinstatement of the transport=tls parameter, or an alternative mechanism for indicating the use of the TLS on a single hop in a URI, is outside the scope of this specification.”
  • 9. RFC 5630 about hop-by-hop security: • 3.2 :: “The presence of a SIPS Request-URI does not necessarily indicate that the request was sent securely on each hop. So how does a UAS know if SIPS was used for the entire request path to secure the request end-to-end? Effectively, the UAS cannot know for sure.”
  • 10. RFC 5630 modification to 3261: • 4 :: “Because of all the problems described in Section 3.3, this specification deprecates the last- hop exception when forwarding a request to the last hop (see Section 5.3). This will ensure that TLS is used on all hops all the way up to the remote target.” • Which means SIP outbound (RFC 5626) or client certs for the last hop.
  • 11. RFC 5630 on padlock icons • Section 4 :: “Some have been tempted to believe that the SIPS scheme was equivalent to an HTTPS scheme in the sense that one could provide a visual indication to a user (e.g., a padlock icon) to the effect that the session is secured. 
 
 This is obviously not the case, and therefore the meaning of a SIPS URI is not to be oversold. There is currently no mechanism to provide an indication of end-to-end security for SIP. “
  • 12. Service owner may control TLS usage in DNS • By only presenting TLS in DNS Naptr/SRV the service owner may limit/enforce UAs to TLS only • May also implement a policy where TLS is preferred but TCP/UDP is accepted
  • 13. Where are we? sollentuna.example.com paris.example.com server to
 server connection
 (B) KURT ALICE UA connection
 (A) UA connection
 (B) Securing first hop Securing server 2 server connections Securing last hop Using SIP outbound and TLS we can secure the first/last hop The user has no way to affect what happens between servers or beyond gateways
  • 14. What if we just remove the SIPS: uri scheme?
  • 15. Remove SIPS: • Implementations can be SIP compatible without SIPS: • We only have control over the FIRST hop, to the edge server • What happens beyond that server is no longer in control (if it ever was)
  • 16. Client side control • Clients (UAs) implement a “require TLS” option checkbox in the configuration page, which will force lookup of NAPTR records, the DNS SRV records • If no DNS support, try TLS port 5061 • This only applies to the first hop
  • 17. Requirements • A way to force clients to use TLS for inbound connections • A simple way to reuse that connection for outbound requests • Maybe a way to get confidentiality for hops beyond the proxy • If so a way to verify that confidentiality
  • 18. Just a thought : S/MIME • Can we wake up S/MIME again? • If not, have we analysed the issues with it? • Any experience? • There’s some sort of end2end security promise in that platform.
  • 19. Summary • In my view, SIPS: is too hard to implement and if implemented, deliveres a false promise • TLS edge connections needs to be made more simple - outbound doesn’t seem to be accepted as the solution • We need to look deeper into end2end integrity, confidentiality and privacy